In cybersecurity, compromise is not a matter of if but when. Remember that? We all said it, we all communicated it, we all even got sick of it. “Prevention isn’t perfect” became an accepted philosophical pillar of modern security programs. And we all got better because of it.
But the disclosure this week that the US Treasury was compromised and actors maintained persistence to monitor Office 365 email for months is a stark reminder that the message bears repeating. Hackers managed to breach US Treasury and Commerce departments by tampering with a SolarWinds software update and installing malware.
From there, they impersonated users to gain unauthorized access to Office 365 accounts which they used to spy on email and exfiltrate data. The Office 365 breaches happened in the summer, which means the attackers were able to remain undetected and persist their attack. This is likely the tip of the iceberg.
Users and data have moved to SaaS
Security concerns these days largely center around users and data. Our users and data have moved to SaaS. Data is an obvious target to gather intellectual property, financial records, and other information that can be monetized. Users are a target because they can be impersonated, used to spam, scam, and escalate. Users who are benign can still make risky mistakes, so we have to worry about them, too.
When adversaries target your environment, access is king. Getting in is good, but staying in is even better. Sophisticated groups often play the long game – they want to surreptitiously bleed out the information and intelligence that empowers them. They do this with persistence, and the best persistence is to look just like a regular user. They need users’ credentials.
The SaaS shift is too prevention-focused
When adversaries hide in plain sight by impersonating legitimate users, prevention is hard. Let’s be honest, unless you are a very strict organization, prevention is always hard. With SaaS, there’s very little that gets installed, and it’s hard to restrict users to a specific geographic location for their activity.
Yet in the shift to cloud and specifically SaaS, many organizations have forgotten that prevention isn’t perfect. Or, if we give them the benefit of the doubt, they haven’t fully employed strategies with defense in depth in mind. Perhaps it is the ease of use of SaaS tools that make them feel robust and secure. Perhaps it is the focus on productivity and speed. Perhaps when working with our new productivity tools the mindset that “they’ll take care of security” is too pervasive. Perhaps it is because it is new and where to start is evasive. Or maybe the ever present struggle in security to find more time and more budget is the factor. Regardless, prevention has become a crutch without monitoring to back it up.
It is disheartening to see organizations rely too heavily on prevention is when the data that the prevention decisions were based on is wrong. Take, for example, Microsoft 365 (formerly called Office 365). How many organizations don’t understand the incredible weakness that “basic authentication” introduces? If you have established a multi-factor authentication (MFA) policy, and even made MFA mandatory, yet you still have basic authentication enabled, adversaries need only a username and password to get in. And we all know how safe that combination is when humans are involved.
Thus, when a strategy has leaned too far into prevention, one crack in the dam, one slip through the wall and there’s nothing raising the alarm. It’s a malfunction that raises no alarm and has no blackbox for later analysis. It’s a silent failure.
Remembering defense in depth
Defense in depth is more than a good idea, it’s essential. We learned this in network, we learned it in devices (endpoints), and now we need to remember in every other area. Whether it is applications or infrastructure, we must lock things down, write good policy, and then assume both maliciousness and mistakes will be in play. To deal with those mistakes, that’s where detective and corrective controls complement preventative ones.
Detective controls assume preventative failure and strive to see everything occurring that shouldn’t. While detective controls aren’t perfect either, the combination of strong prevention and strong detection is key. Stop everything you can (while letting people do their jobs), detect everything that makes it through, be prepared to respond to issues, and iterate.
A fundamental strength of security is ongoing skepticism of should this or that be happening. With prevention, it’s a binary decision of whether or not to let the transaction occur. Make a bad assessment and all the downstream effects are essentially trusted. That’s not what we want. Once the adversary has logged in, how are you analyzing the behavior? If a new MFA device is added to the account, are you reviewing that activity? What if MFA intercept occurs, or if OAuth tokens are granted that will live for a year. What do you do then? How are you defending against these today?
If you are a big prevention advocate, that’s great. Continuous monitoring informs prevention. It is by understanding what users are doing that you can combine explicit constraints with learned ones. Take the more cut and dry policies and combine them with restrictions known to fit the productivity needs of the organization. If you don’t know how your teams are using the cloud, how can you lock it down?
You may be saying yes, I’ve been concerned and I hear you, but I am unsure how to approach my modern IT systems. How do I do it in SaaS?
No more silent failures in the cloud
We started Obsidian because we saw how transformative EDR was to not only endpoint security, but to security operations, incident response consultancies, security programs and strategy, and more. It was far more transformative to security than simple upgrading anti-virus technology.
Yet where has this been for SaaS? Microsoft 365, Google Workspace (G Suite), Salesforce, Workday, and other mission critical productivity tools require continuous monitoring. Failing to prevent an unauthorized user from using stolen credentials, or from creating mailbox delegation, or API tokens, or taking other risky actions should not mean those choices can persist in the environment. A winning strategy is to combine prevention with early detection and accelerated investigation capabilities. Raise the bar across the spectrum.
It is time to give yourself the chance to disrupt attackers multiple times throughout the kill chain. We suggest you ask yourself and your team these questions:
- Are we continuously monitoring account activity?
- Can we do incident response against SaaS?
- How can we detect multiple kinds of attacker behavior?
- How can we do retrospection against our environment?
Obsidian enables you to be proud of your answers to these questions, but regardless of your taste for Obsidian, we suggest you take a strong look at SaaS security monitoring in your organization.